Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:69405
Return-Path: <peter.e.lind@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 18542 invoked from network); 28 Sep 2013 10:36:00 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 28 Sep 2013 10:36:00 -0000
Authentication-Results: pb1.pair.com header.from=peter.e.lind@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=peter.e.lind@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.212.176 as permitted sender)
X-PHP-List-Original-Sender: peter.e.lind@gmail.com
X-Host-Fingerprint: 209.85.212.176 mail-wi0-f176.google.com  
Received: from [209.85.212.176] ([209.85.212.176:38685] helo=mail-wi0-f176.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id AB/83-27958-E01B6425 for <internals@lists.php.net>; Sat, 28 Sep 2013 06:35:59 -0400
Received: by mail-wi0-f176.google.com with SMTP id cb5so1866980wib.15
        for <internals@lists.php.net>; Sat, 28 Sep 2013 03:35:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc:content-type;
        bh=l1yQ6jzTryUV3G4Zp4azIh05VG5Lt9QKonz6cxGISe4=;
        b=hd2IjFepoZoe9UBcFvpsRJVc3RXSnd6ZFoZfflk7nEYVH0xjZ93hu1O70q7ScS3IK9
         o0q746G9pwlx516z41POLhlbkoYBUrGQ1C5aLbt0Dee6MipSZ306ksqVkSDxN+vRB992
         ko2OookjvnO95Gd65eSK3LHX7wL2Ba0uRcVf/6FDeNKKLmizRZFXhaPp07axsxdkLir6
         7XoUFD+W3ag9d3jVqb6ef8qXHW3YI+MMW+RcwGkgX6cEawarLAupohoB31RuZHJzIhq2
         oZ8ACgk24Rc97r3o5a1FH41bWECZMEEPXAmx9rgfxBRdBKG7UIGw+vwkHFirKfRyD0Yh
         M1Fw==
X-Received: by 10.180.185.10 with SMTP id ey10mr6183527wic.29.1380364555660;
 Sat, 28 Sep 2013 03:35:55 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.227.198.134 with HTTP; Sat, 28 Sep 2013 03:35:35 -0700 (PDT)
In-Reply-To: <CAPwsocG_aKa7gCFhE3naVksN2FJTfsQU8pM4hqBkMA6KRfJzZA@mail.gmail.com>
References: <CAGa2bXbh6dOf41nZ0r-RuRtkCuuiA=r=SnxS+A1+GgqFXPGOWQ@mail.gmail.com>
 <CABBJUpdNr6McK6Q4qtztiYYG9CKZF7AeUdvo3YM+W0S87f8nDg@mail.gmail.com>
 <CAPwsocEwM_A3YraxZmJEXjBxaGgTZhfv711801bwtHLfJfNh+Q@mail.gmail.com>
 <CAHMUw2EQuT-y2Ho85QXhDdtysTWC=4FyY4nK9i-yR7qGqk6M=Q@mail.gmail.com>
 <CAPwsocGh-e1xAmvxgBF6St++9TBdW6uzRy8Xu4Jhb4p-N4vFvQ@mail.gmail.com>
 <CAGa2bXaH7B3vO=4Ap2hTfwUEp4Sw-PoK-omK6r=O71OUNksDxg@mail.gmail.com>
 <CAGbiJu_S4JeeOwMRCNbCyOToT5WPvkJPGjGBg8_Wb4g7Pn2MqQ@mail.gmail.com>
 <CAEU6NAen29mfS1kNA+jdRy9FZCqwM__N_Z+Exk8sjGjUM4UHxg@mail.gmail.com> <CAPwsocG_aKa7gCFhE3naVksN2FJTfsQU8pM4hqBkMA6KRfJzZA@mail.gmail.com>
Date: Sat, 28 Sep 2013 12:35:35 +0200
Message-ID: <CAEU6NAfdfj9RPHOVHbSih-tajN3ewkkzn4d1_qLt98vvjBU7HA@mail.gmail.com>
To: Leigh <leight@gmail.com>
Cc: PHP Internals <internals@lists.php.net>, Yasuo Ohgaki <yohgaki@ohgaki.net>, 
	Tjerk Meesters <tjerk.meesters@gmail.com>, Madara Uchiha <madara@tchizik.com>
Content-Type: multipart/alternative; boundary=001a11c3657e0033da04e76f2bcc
Subject: Re: [PHP-DEV] Regenerating session ID automatically when IP address
 has changed
From: peter.e.lind@gmail.com (Peter Lind)

--001a11c3657e0033da04e76f2bcc
Content-Type: text/plain; charset=UTF-8

On 28 September 2013 12:25, Leigh <leight@gmail.com> wrote:

>
> On Sep 28, 2013 10:39 AM, "Peter Lind" <peter.e.lind@gmail.com> wrote:
> >
> > So you're stuck with two choices: accept that PHP security is lax and
> that as a result a lot of code will have many attack vectors, or try to
> change the language itself for the better. The third option of "educate" is
> a mirage.
> >
>
> PHP provides you with all the tools you need to write secure apps. I could
> go around writing mysql_query($_REQUEST["blah"]) but I don't. Why? Because
> I have been educated. We don't have restrictions in the core that prevent
> me from doing it, and we don't need them either.
>
Care to back that up with an argument?


> I agree with you, being secure by default is a worthy objective, but the
> proposal here shouldn't even be on by default. (remember not everyone is
> able to control their ini settings and whatnot)
>
Worthy objective? You just stated your opinion that you don't want default
protection in the core language. Which is it?


> Education is not a mirage. People picked up their insecure coding habits
> from somewhere, and if its from laziness then I don't think they really
> deserve protecting. If it was from a terrible blog article promoting
> insecure practices then we need better articles. There's not much we can do
> to remove the content that's already out there, but there's a lot we can do
> with providing new, up to date and accurate content.
>

How many years have PHP been around? For how long have we been trying to
educate people to avoid mysql_* functions? Has it worked? No. You can
educate a fair amount of people but when you have the userbase of PHP it's
downright stupid to think you'll get the majority on board.

Also, saying that people deserve what they get because they're not educated
developers, is being arrogant.


-- 
<hype>
WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15
</hype>

--001a11c3657e0033da04e76f2bcc--